Methods, systems and computer readable media for network tapping and packet brokering in wireless networks

ABSTRACT

A method for network tapping and packet brokering in wireless networks includes tapping a signal in a wireless network and determining whether the signal is a valid signal according to a wireless network protocol. In response to determining that the signal is a valid signal according to the wireless network protocol, the signal is demodulated into a sequence of bits arranged according to the wireless network protocol. In response to determining that the signal is not a valid signal according to the wireless network protocol, an indication that the signal is not a valid signal according to the wireless network protocol is generated. A packet in a format compatible with a network tapping and packet brokering system is generated. At least some of the bits or the indication is inserted in the packet. The packet is transmitted to the network tapping and packet brokering system.

TECHNICAL FIELD

The subject matter described herein relates to network tapping andpacket brokering. More particularly, the subject matter described hereinrelates to methods, systems, and computer readable media for networktapping and packet brokering in wireless networks.

BACKGROUND

Network visibility systems, such as network tapping and packet brokeringsystems, provide network visibility in wired networks. For example,optical and electrical network tap devices are placed in line betweenother wired network devices and copy packets traveling between thedevices. The packet copies are provided to network tool optimizers,which broker the packets to one or more network visibility tools orapplications. In another example, a network switch may include a tapport that provides copies of packets traversing the switch to networkvisibility tools or applications.

Wireless local area network protocols, such as the 802.11ad protocol,provide short range wireless connectivity between processing and storagedevices. Such short range connectivity allows the creation of ad hocnetworks to allow clustering of connected devices to achieve processingand/or storage goals. However, because network visibility products aredesigned for wired networks, network visibility in networks betweendevices connected by short range wireless local area network protocolsis lacking.

Wireless network monitoring devices exist to monitor packets in wirelesslocal area networks. However, such devices may only be capable ofmonitoring packets according to the protocol or protocols for which theyare designed, which are different from those used by the network tappingand packet brokering system. For example, an 802.11 monitoring devicemay be capable of demodulating 802.11 signals into 802.11 bitstreams.Network tapping and packet brokering systems expect wired networkprotocol packet formats, such as 802.3 Ethernet packet formats. Becausenetwork tapping and packet brokering systems are not compatible withwireless network protocol formats, network visibility has not been fullyextended into such networks.

Accordingly, there exists a need for network tapping and packetbrokering in wireless networks.

SUMMARY

A method for network tapping and packet brokering in wireless networksincludes tapping a signal in a wireless network. The method furtherincludes determining whether the signal is a valid signal according to awireless network protocol. The method further includes, in response todetermining that the signal is a valid signal according to the wirelessnetwork protocol, demodulating the signal into a sequence of bitsarranged according to the wireless network protocol. The method furtherincludes, in response to determining that the signal is not a validsignal according to the wireless network protocol, generating anindication that the signal is not a valid signal according to thewireless network protocol. The method further includes generating apacket in a format compatible with a network tapping and packetbrokering system. The method further includes inserting, in the packet,at least some of the bits or the indication. The method further includestransmitting the packet to the network tapping and packet brokeringsystem.

A system for network tapping and packet brokering in wireless networksincludes a wireless network tap for tapping a signal in a wirelessnetwork. The wireless network tap includes a valid signal determiningmodule for determining whether the signal is a valid signal according toa wireless network protocol. The wireless network tap further includes ademodulator for, responsive to a determination that the signal is avalid signal according to the wireless network protocol demodulating thesignal into a sequence of bits arranged according to the wirelessnetwork protocol. The system further includes a network tapping andpacket brokering interface for, in response to a determination that thesignal is not a valid signal according to the wireless network protocol,generating an indication that the signal is not a valid signal accordingto the wireless network protocol. The network tapping and packetbrokering interface module generates a packet in a format compatiblewith a network tapping and packet brokering system, inserts, in thepacket, at least some of the bits or the indication, and transmits thepacket to the network tapping and packet brokering system

The subject matter described herein can be implemented in software incombination with hardware and/or firmware. For example, the subjectmatter described herein can be implemented in software executed by aprocessor. In one exemplary implementation, the subject matter describedherein can be implemented using a non-transitory computer readablemedium having stored thereon computer executable instructions that whenexecuted by the processor of a computer control the computer to performsteps. Exemplary computer readable media suitable for implementing thesubject matter described herein include non-transitory computer-readablemedia, such as disk memory devices, chip memory devices, programmablelogic devices, and application specific integrated circuits. Inaddition, a computer readable medium that implements the subject matterdescribed herein may be located on a single device or computing platformor may be distributed across multiple devices or computing platforms.

BRIEF DESCRIPTION OF THE DRAWINGS

The subject matter described herein will now be explained with referenceto the accompanying drawings of which:

FIG. 1 is a block diagram of system for network tapping and packetbrokering in wireless networks;

FIG. 2 is a flow chart of an exemplary process for network tapping andpacket brokering in wireless networks;

FIG. 3 is a diagram illustrating a method for encapsulating an 802.11adframe in an 802.3 Ethernet frame;

FIG. 4 is a diagram illustrating an alternate method for encapsulatingan 802.11ad frame in an 802.3 Ethernet frame; and

FIG. 5 is a diagram illustrating exemplary internal details of awireless network tap and a network tool optimizer.

DETAILED DESCRIPTION

FIG. 1 is a diagram illustrating an exemplary system for wirelessnetwork tapping and packet brokering according to an embodiment of thesubject matter described herein. Referring to FIG. 1, one or moreprocessing and or storage devices 100 may be wirelessly connected toeach other and communicate via a wireless local area network protocol,such as 802.11ad. A wireless network tap 102 may tap signals transmittedbetween devices 100 on the wireless local area network and may make aninitial determination as to whether a received signal is a valid signalaccording to the protocol being monitored. For example, if wirelessnetwork tap 102 monitors 802.11ad communications, wireless network tap102 may perform decorrelation processing according to the 802.11adstandard to extract potential single user signals from multi-usersignals. Wireless network tap 102 may then compare the potential singleuser signals to noise signatures or valid signal signatures to determinewhether the signals are potentially valid according to the 802.11adprotocol. If wireless network tap 102 identifies a signal as invalidaccording to the protocol being monitored, e.g., because the signalmatches a noise signature or fails to match a valid signal signature,then wireless network tap 102 may communicate an indication that thesignal is invalid to a network tap and packet brokering system 104.Network tapping and packet brokering system 104 may include one or morenetwork taps 106 that tap wired electrical and optical signals, and anetwork tool optimizer 108 that brokers monitored packets to one or morenetwork visibility applications 110.

If wireless network tap 102 determines that a signal is potentiallyvalid according to the protocol being monitored, wireless network tap102 may demodulate the signal to produce a packet formatted according tothe protocol being monitored. Continuing with the 802.11ad example,wireless network tap 102 may demodulate the signal into an 802.11adpacket or frame. Wireless network tap 102 may then convert the packetfrom the wireless local area network protocol to a protocol compatiblewith the network visibility system. In one example, wireless network tap102 may encapsulate the entire 802.11ad frame in an 802.3 Ethernetframe. In another example, wireless network tap 102 may replace one ormore layers of the 802.11ad frame with layers of the protocol used bythe network tapping and packet brokering system. For example, wirelessnetwork tap 102 may replace layers 1 and 2 of the 802.11ad protocol withlayers 1 and 2 of the protocol used by network tapping and packetbrokering system 104.

One potential advantage of using wireless network tap 102 overconventional wired network tap deployments is that wireless network tap102 can simultaneously monitor and tap packets between multiple withoutrequiring connections to wired physical interfaces of the devices. Inwired network tap deployments, a wired network tap is physicallyconnected by cables to network interfaces on which packets are tapped.If a new device is added to a network, a wired network tap may notnecessarily be capable of tapping packets from the newly added deviceunless those packets traverse the currently tapped network interfaces.In contrast, in the example illustrated in FIG. 1 where wireless networktap 102 is placed within the communication range specified by thewireless network protocol of device 100, wireless network tap 102 canmonitor all traffic between all devices. When a new device 100 is addedto the network, wireless network tap 102 can automatically tap trafficto and from the newly added device without requiring the addition ofwired connections to the newly added device.

FIG. 2 is a flow chart illustrating an exemplary process for networktapping and packet brokering in a wireless network according to anembodiment of the subject matter described herein. Referring to FIG. 2,in step 200, the process includes tapping a signal in a wirelessnetwork. For example, wireless network tap 102 may include a radiointerface compatible with the protocol used in the wireless network andcapable of intercepting a signal transmitted between processing orstorage devices 100 in the wireless network. In one example, the networkmay be an 802.11ad network, and the signal may be valid 802.11ad signalor an invalid signal, such as a noise signal intentionally transmittedto disrupt wireless communications in the 802.11ad network. If theprotocol uses is 802.11ad, wireless network tap 102 may include a radiointerface configured to monitor a frequency band centered around 60 GHz,which is the frequency band used by 802.11ad compatible devices.

In step 202, the process includes determining whether the signal is avalid signal according to a wireless network protocol. Determiningwhether the signal is a valid signal may include performingdecorrelation processing on the signal to extract a single user signalfrom multi-user signal and comparing the extracted signal to knownattack or valid signal signatures. If the signal does not match anattack signal signature or matches a valid signal signature, thencontrol proceeds to step 206, where the signal is demodulated accordingto the wireless local area network protocol to produce a sequence ofbits arranged according to the wireless local area network protocol.Continuing with the 802.11ad example, demodulating the signal mayinclude demodulating the signal using spread spectrum demodulation,single carrier demodulation, or orthogonal frequency divisionmultiplexing (OFDM) demodulation, as specified by the 802.11ad protocolto produce a packet or frame formatted according to the 802.11adprotocol.

Because network tapping and packet brokering system 104 may not beconfigured to receive wireless local area network packets formattedaccording to the wireless local area network protocol, in step 208, theprocess includes generating a packet in format compatible with a networktapping and packet brokering system. Control then proceeds to step 210where at least some of the bits from the demodulated wireless local areanetwork signal are inserted into the generated frame or packetcompatible with network tapping and packet brokering system 104.

In one example, the protocol used by the wireless local area network maybe 802.11ad, and the protocol used by the network tapping and packetbrokering system may be wired Ethernet (e.g., 802.3 Ethernet). FIG. 3illustrates one example of an 802.11ad frame 300 that may be tapped fromthe wireless local area network by wireless network tap 102. Referringto FIG. 3, an exemplary 802.11ad frame 300 is shown. The 802.11adstandard specifies three different modulation formats: OFDM, spreadspectrum modulation, and single carrier modulation. The OFDM frameformat is shown in FIG. 3 for illustrative purposes. A wireless networktap 102 according to the subject matter described herein may beconfigured to capture and demodulate any of the 802.11ad modulationformats.

FIG. 3 also illustrates an 802.3 Ethernet frame and packet structure.Such a frame and packet structure may be compatible with the protocol(802.3) used by network tapping and packet brokering system 104. In theillustrated example, 802.3 Ethernet frame 302 includes a medium accesscontrol (MAC) destination address, a MAC source address and 46-1500octets of payload. It can be seen from the difference between the 802.3Ethernet frame 302 and the 802.11ad frame 300, that the frame formatsare not compatible with each other. Accordingly, wireless network tap102 may convert the 802.11ad frame format into a format compatible withthe 802.3 protocol. One method for performing such a conversion isillustrated in FIG. 3, where the entire 802.11ad 300 is inserted intothe payload portion of an 802.3 Ethernet frame 302. If the 802.11adframe is more than 1500 octets, then the 802.ad frame may be fragmentedand included in the payload portions of more than one 802.3 frames. Oncethe 802.11ad frame is placed in the 802.3 frame, the start of framedelimiter and preamble are added to the 802.3 frame to form a layer 1Ethernet packet.

In an alternate implementation, rather than inserting the entire802.11ad frame in the 802.3 Ethernet frame, wireless network tap 102 mayextract values from selected fields from the 802.11ad frame and insertthose values in the 802.3 frame. For example, referring to FIG. 4, ifthe only protocols of interest in a given test to a network monitoringapplication are application layer protocols, wireless network tap 102may remove the frame body from the 802.11ad packet and insert only thedata in the data field of the 802.11ad frame in the 802.3 frame, therebyreplacing the layer 1 and 2 information from the 802.11ad frame thelayer 1 and 2 information from the 802.3 frame. Wireless network tap 102may also analyze data in the data field and selectively insert portionsof the data in the 802.3 frame. In another example, wireless network tap102 may insert data from more than one 802.11ad frame in a single 802.3frame. In yet another example, wireless network tap 102 may compress thedata from the 802.11ad frame before inserting the data in the 802.3frame.

Returning to FIG. 2, in step 212, the packet is transmitted to networktapping and packet brokering system 104. For example, wireless networktap 102 may transmit the 802.3 frame to network tapping and packetbrokering system 104 over a wired electrical or optical interface.Wireless network tap 102 may add inter-frame gaps between layer 1 802.3packets before transmitting the packets to network tapping and packetbrokering system 104. The wired electrical or optical interface used bywireless network tap 102 to communicate packets to network tapping andpacket brokering system 104 may be any suitable interface over whichnetwork tapping and packet brokering system is capable of communicating.One example of an interface used by a network tapping and packetbrokering system is a gigabit Ethernet interface. Because the packetsare formatted according to the protocol expected by network tapping andpacket brokering system 104, modifications to the existing networktapping and packet brokering system 104 are not required to monitor datatransmitted over the wireless network. As a result, network visibilityis extended in an efficient manner into the wireless network.

Returning to FIG. 2, in step 204, if the signal tapped from the wirelessnetwork is determined to be invalid according to the protocol beingmonitored, control proceeds to step 214 where an indication that thesignal is invalid according to the wireless network protocol isgenerated. Step 214 may be implemented by wireless network tap 102.Control then proceeds to step 208 where a packet compatible with networktapping and packet brokering system 104 is generated. Control thenproceeds to step 210 where the indication that the signal is invalid isinserted in the newly generated packet. In one example, the indicationthat the signal is invalid may be inserted in the payload of the packet.In another example, an unused header or trailer field may be used tocarry the indication of invalid signal. In step 212, the newly generatedpacket with the indication of invalid signal is transmitted to networktapping and packet brokering system 104 over a wired interface, such asa wired optical or electrical interface.

FIG. 5 is a block diagram illustrating wireless network tap 102 andnetwork tool optimizer 108 in more detail. Referring to FIG. 5, wirelessnetwork tap 102 include a radio interface 500 for tapping signals in awireless network. In one example, radio interface 500 may be an 802.11adinterface for tapping signals in an 802.11ad network. Wireless networktap 102 further includes a valid signal determining module 502 fordetermining whether a tapped signal is a valid signal according to theprotocol being monitored. In one example, valid signal determiningmodule 502 may decorrelate a received signal and compare thedecorrelated signal to a valid or invalid signal signature to determinewhether the signal includes valid 802.11ad content or is an attack ornoise signal.

If valid signal determining module 502 determines that the signal is avalid signal according to the protocol being monitored, valid signaldetermining module 502 may transmit the signal to a demodulator 502 fordemodulating the signal into a digital bit stream arranged according tothe wireless network protocol. If the protocol being monitored is802.11ad, demodulator 502 may implement spread spectrum demodulation,single carrier demodulation, or OFDM demodulation, as specified by the802.11ad protocol to produce digital bit stream arranged according tothe 802.11ad protocol. An example of such a bitstream is the 802.11adpacket illustrated in FIG. 3. Demodulator 502 may provide thedemodulated bit stream to a network tapping and packet brokering systeminterface 506. Network tapping and packet brokering system interface 506may generate a packet in a format compatible with network tapping andpacket brokering system 104. In one example, the packet format may be an802.3 Ethernet packet format. Network tapping and packet brokeringsystem interface 506 may insert at least some of the bits from thedemodulated bit stream into the 802.3 Ethernet packet and transmit thepacket to network tool optimizer 108 over a wired Ethernet interface.

If valid signal determining module 502 determines that the signal is nota valid signal according to the protocol being monitored, valid signaldetermining module 502 may inform a network tapping and packet brokeringinterface module 504 that the signal is invalid. Network tapping andpacket brokering system may generate a packet in the format compatiblewith network tapping and packet brokering system 104 and insert theindication that the signal is invalid according to the wireless networkprotocol in the payload portion of the packet. Wireless network tap 102may then transmit the packet to network tool optimizer 108 over a wirednetwork connection, such as a wired Ethernet connection.

Network tool optimizer 108 receives the 802.3 formatted Ethernet packetsfrom wireless network tap 102. In the illustrated example, network tooloptimizer 108 includes a plurality of tap ports 506 that receive tappedpackets from various sources, including wireless network tap 102.Network tool optimizer 108 further includes a plurality of tool ports508 that provide tapped packets to network monitoring tools 510. In theillustrated example, the network monitoring tools include an intrusiondetection application and a metering application, for example, to meternetwork usage if the wireless network is providing metered services toanother network. One or more filters 512 may be provided between some ofthe tap ports 506 and the tool ports 508 to filter copied packets toselectively direct only packets of interest to the associated networkmonitoring tool 510.

Both wireless network tap 102 and network tool optimizer 108 may includea processor 501 and a memory 503. Processor 501 and memory 503 ofwireless network tap 102 may execute or implement any one or more ofvalid signal determining module 502, demodulator 504, and network tapand packet brokering system interface 506. Alternatively, any one ormore of valid signal determining module, demodulator 504, and networktapping and packet brokering system interface 506 may be implemented inhardware or firmware. Processor 501 and memory 503 in network tooloptimizer 108 may provide for configuration of a switching matrix tocontrol forwarding of packets between tap ports 506 and tool ports 508.In addition, processor 501 and memory 503 of network took optimizer 108may provide for configuration of filters 512.

By providing wireless network tap 102, the visibility of networkmonitoring tools 510 is extended into wireless networks, even wirelessshort range local area networks, such as wireless 802.11ad network. Inone example, an attacker may seek to disrupt a wireless local areanetwork by broadcasting noise in the frequency band used by the wirelesslocal are network. In such a scenario, wireless network tap 102 detectsan invalid signal, generates an indication that an invalid signal hasbeen detected, formats and 802.3 Ethernet packet, inserts the indicationin the packet, and transmits the packet to network tool optimizer 108over a wired Ethernet connection. Network tool optimizer 108 receivesthe packet at one of its tap ports 506 and switches the packet to one oftool ports 508 and filter 512. Filter 512 may allow the packet to pass,as the packet may be marked to indicate that it carries information forintrusion detection application 510. The tool port 508 that received thepacket may transmit the packet to intrusion detection application 510over a wired or wireless link. Intrusion detection application 510 mayreceive the packet, read the indication of invalid signal, and generatea report or an alarm indicating the presence of an invalid signal in thewireless network.

In another example, wireless network tap 102 may tap a valid signalaccording to the protocol being monitored on the wireless network.Wireless network tap 102 may demodulate the signal into a sequence ofbits formatted according to the protocol being monitored. Wirelessnetwork tap 102 may then encapsulate some or all of the bits demodulatedfrom the wireless network in 802.3 Ethernet packets and transmit thepackets to network tool optimizer 108 over a wired Ethernet link.Network tool optimizer 108 may receive, at one of tap ports 506, the802.3 Ethernet packets encapsulating the data tapped from the wirelessnetwork and switch the packets to one or more of tool ports 508 with orwithout passing through filter 512. Whether or not the packets arefiltered may depend on the type of network tool or application thatultimately receives the packets via tool ports 508. For example, if thenetwork tool that receives the packets is a metering application, thenit may be desirable to filter packets so that streams of packets to andfrom particular users are tracked. If the network tool that receives thepackets is an intrusion detection application, then it may be desirableto pass the packets unfiltered to the tool port 508 so that all packetsmay be analyzed for potential attacks. The tool port that receives thepackets may provide the packets to the application connected to the toolport via a wired or wireless network connection.

It will be understood that various details of the presently disclosedsubject matter may be changed without departing from the scope of thepresently disclosed subject matter. Furthermore, the foregoingdescription is for the purpose of illustration only, and not for thepurpose of limitation.

What is claimed is:
 1. A method for network tapping and packet brokeringin wireless networks, the method comprising: tapping a signal in awireless network; determining whether the signal is a valid signalaccording to a wireless network protocol; in response to determiningthat the signal is a valid signal according to the wireless networkprotocol, demodulating the signal into a sequence of bits arrangedaccording to the wireless network protocol; in response to determiningthat the signal is not a valid signal according to the wireless networkprotocol, generating an indication that the signal is not a valid signalaccording to the wireless network protocol; generating a packet in aformat compatible with a network tapping and packet brokering system;inserting, in the packet, at least some of the bits or the indication;and transmitting the packet to the network tapping and packet brokeringsystem.
 2. The method of claim 1 wherein determining whether the signalis a valid signal according to the wireless network protocol includesdecorrelating the signal and determining whether the decorrelated signalmatches a valid signature for the wireless network protocol or a noisesignature.
 3. The method of claim 1 wherein determining whether thesignal is a valid signal according to the wireless network protocolincludes determining that the signal is a valid signal according to thewireless network protocol, wherein the wireless network protocolcomprises a wireless local area network protocol and whereindemodulating the signal comprises demodulating the signal usingdemodulation specified by the wireless local area network protocol. 4.The method of claim 3 wherein the wireless local area network protocolcomprises a short range wireless local area network protocol.
 5. Themethod of claim 4 wherein the short range wireless local area networkprotocol comprises an 802.11ad protocol.
 6. The method of claim 5wherein inserting, in the packet, at least some of the bits or theindication includes inserting an entire 802.11ad packet in an 802.3Ethernet packet.
 7. The method of claim 5 wherein inserting, in thepacket, at least some of the bits or the indication includes inserting apayload of an 802.11ad packet in an 802.3 Ethernet packet.
 8. The methodof claim 1 wherein transmitting the packet to the network tapping andpacket brokering system comprises transmitting the packet from awireless network tap to a network tool optimizer device over a wiredEthernet interface.
 9. The method of claim 8 comprising, at the networktool optimizer device, brokering the packet to at least one networkvisibility application.
 10. The method of claim 9 wherein brokering thepacket to at least one network visibility application includestransmitting a copy of the packet to the at least one network visibilityapplication.
 11. A system for network tapping and packet brokering inwireless networks, the system comprising: a wireless network tap fortapping a signal in a wireless network, the wireless network tapincluding: a valid signal determining module for determining whether thesignal is a valid signal according to a wireless network protocol; ademodulator for, responsive to a determination that the signal is avalid signal according to the wireless network protocol, demodulatingthe signal into a sequence of bits arranged according to the wirelessnetwork protocol; a network tapping and packet brokering systeminterface for, in response to a determination that the signal is not avalid signal according to the wireless network protocol, generating anindication that the signal is not a valid signal according to thewireless network protocol; and the network tapping and packet brokeringsystem interface for generating a packet in a format compatible with anetwork tapping and packet brokering system, inserting, in the packet,at least some of the bits or the indication; and the network tapping andpacket brokering system interface transmitting the packet to the networktapping and packet brokering system.
 12. The system of claim 11 whereinthe valid signal determining module decorrelates the signal anddetermines whether the decorrelated signal matches a valid signalsignature for the wireless network protocol or a noise signature. 13.The system of claim 11 wherein the valid signal determining moduledetermines that the signal is a valid signal according to the wirelessnetwork protocol, wherein the demodulator demodulates the signal usingdemodulation specified by the wireless network protocol, and wherein thewireless network protocol comprises a wireless local area networkprotocol.
 14. The system of claim 13 wherein the wireless networkprotocol comprises a short range wireless local area network protocol.15. The system of claim 14 wherein the short range wireless local areanetwork protocol comprises an 802.11ad protocol.
 16. The system of claim15 wherein the network tapping and packet brokering system interfaceinserts an entire 802.11ad packet in an 802.3 Ethernet packet.
 17. Thesystem of claim 15 wherein the network tapping and packet brokeringsystem interface inserts a payload of an 802.11ad packet in an 802.3Ethernet packet.
 18. The system of claim 11 comprising a network tooloptimizer, wherein the network tapping and packet brokering interfaceforwards the packet from the wireless network tap to the network tooloptimizer.
 19. The system of claim 18 wherein the network tool optimizerbrokers the packet to at least one network visibility application. 20.The system of claim 19 wherein brokering the packet to at least onenetwork visibility application includes transmitting a copy of thepacket to the at least one network visibility application.
 21. Anon-transitory computer readable medium having stored thereon executableinstructions that when executed by the processor of a computer controlthe computer to perform steps comprising: tapping a signal in a wirelessnetwork; determining whether the signal is a valid signal according to awireless network protocol; in response to determining that the signal isa valid signal according to the wireless network protocol, demodulatingthe signal into a sequence of bits arranged according to the wirelessnetwork protocol; in response to determining that the signal is not avalid signal according to the wireless network protocol, generating anindication that the signal is not a valid signal according to thewireless network protocol; generating a packet in a format compatiblewith a network tapping and packet brokering system; inserting, in thepacket, at least some of the bits or the indication; and transmittingthe packet to the network tapping and packet brokering system.